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[] Abstract — Network coding is an elegant technique where, 
instead of simply relaying the packets of information they receive, 
the nodes of a network are allowed to combine several packets to- 
gether for transmission and this technique can be used to achieve 
the maximum possible information flow in a network and save the 
needed number of packet transmissions. Moreover, in an energy- 
constraint wireless network such as Wireless Sensor Network 
(a typical type of wireless ad hoc network), applying network 
coding to reduce the number of wireless transmissions can also 
prolong the life time of sensor nodes. Although applying network 
coding in a wireless sensor network is obviously beneficial, due 
to the operation that one transmitting information is actually 
combination of multiple other information, it is possible that 
an error propagation may occur in the network. This special 
characteristic also exposes network coding system to a wide 
range of error attacks, especially Byzantine attacks. When some 
adversary nodes generate error data in the network with network 
coding, those erroneous information will be mixed at intermeidate 
nodes and thus corrupt all the information reaching a destination. 
Recent research efforts have shown that network coding can be 
combined with classical error control codes and cryptography 
for secure communication or misbehavior detection. Nevertheless, 
when it comes to Byzantine attacks, these results have limited 
effect. In fact, unless we find out those adversary nodes and 
isolate them, network coding may perform much worse than 
pure routing in the presence of malicious nodes. In this paper, 
a distributed hierarchical algorithm based on random linear 
network coding is developed to detect, locate and isolate malicious 
nodes. To the best of our knowledge, this paper is the first one 
in the literature that proposes a distributed intrusion detection 
and isolation scheme to effectively conquer Byzantine attacks for 
Random Linear Network Coding in a wireless network. 

Index Terms — Random Linear Network Coding, Byzantine 
attacks, intrusion detection, network coding, wireless sensor 
network, locating, watchdog. 

L Introduction 

A. Network Coding 

Network coding has become a paradigm shift in information 
transmission, it is first brought up by Prof. Shuo-Yen Robert 
Li et al |T|. Instead of traditional information transmission 
method, storing and forwarding, network coding allows inter- 
mediate nodes to mix received information together and trans- 
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mit new information generated by the received information in 
terms of encoding. Due to encoding operation at intermediate 
nodes, data can be regarded as information flow through 
network, which is in a sense of data compression. Therefore 
throughput and bandwidth efficiency can be increased and 
delay can be decreased also via network coding. In Q, 
Prof. Shou-Yen Robert Li has showed that network capacity 
with network coding can be bounded by min-cut max-flow 
theory, which is larger than traditional storing- and-forwarding 
method. 

B. Random Linear Network Coding 

Recent research's having proven throughput gain of network 
coding in variety of application makes network coding an 
attractive topic. With algebraic approaches, such as 121. a 
communication pattern with network coding of a network can 
be designed and achieve its promised capacity, which is the 
min-cut from the source to the sinks in a network graph (H. 
However, algebraic approaches require much central informa- 
tion and optimized coding scheme is actually not practical to 
design at most time O. Then a distributed method of network 
coding has been developed Random Linear Network Coding, 
shorted as RLNC | 4 |. RLNC is a powerful tool to disseminate 
information in networks for it is distributed and robust against 
dynamic topology. Without knowing central information such 
as network topology, RLNC regards every encoded packet as a 
coding vector over a finite field ¥q and generates new packets 
at intermediate nodes by linearly combining received packets 
with random coefficient. Some overhead in packet's header is 
introduced to record how packets are combined (in |4|, it is 
called global encoding vector) and sinks can do decoding and 
recover original information as long as they retrieve enough 
packets. 

C. Security issue of network coding 

Network coding shows its variety of possibilities and benefit 
in information dissemination, however, it also introduces new 
type of security issue. The most serious security challenges 
posed by network coding thus seem to come from various 
types of Byzantine attacks, especially packet-modifying attack. 



In particular, RLNC has been shown very robust to packet 
losses induced by node misbehavior |5|. Nevertheless, when 
it comes to packet-modifying attack, RLNC has become quite 
vulnerable. In RLNC, one intermediate nodes will linearly 
combine received packets and generate new packets to next 
multiple receivers. If this node has been compromised and gen- 
erates error packets, other nodes received those error packets 
will also be modified for those error packets will stay in buffer 
and keep being combined with normal packets. Hence, nodes 
of each path these error packets go through would become new 
compromised nodes without self-awareness and disseminate 
more error packets. In other word, the error due to modified 
packets will propagate in network with RLNC. Eventually, the 
whole communication network may be crushed just because of 
one single adversary node. Fig. [T] shows how a single adversary 
node propagates error. 

The paper is organized as follows: Section II illustrates 
pros and cons of related works on Byzantine attacks. Section 
III describes our model and algorithm. Section IV gives the 
simulation results and analysis. Section V shows mathematical 
analysis. Section VI concludes the paper with a summary of 
the results and discussion of further work. 

II. Related work 

Existing method mostly modifies the format of coded packet 
against Byzantine attacks, and can be divided into two main 
categories: (1) misbehavior detection, and (2) end-to-end error 
correction. 

A. Misbehavior Detection 

Misbehavior detection applies error control technique or 
information-theoretic frameworks of encryptography to detect 
the modification introduced by Byzantine attackers. By types 
of nodes who take care of coding burden, misbehavior detec- 
tion can be further divided into generation-based and packet- 
based. Generation-based detection takes similar advantage as 
error-correcting codes and lays expensive computation tasks on 
destination nodes. As long as enough information is retrieved 
by destinations, modification can be detected. |6| proposes 
an information-theoretic approach for detecting Byzantine 
modification in networks employing RLNC. Each exogenous 
source packet is augmented with a flexible number of hash 
symbols that are obtained as a polynomial function of the 
data symbol. This approach depends only on the adversary not 
knowing the random coefficient of all other packets received 
by the sink nodes when designing its adversarial packets. 
The hash schemes can be used without the need of secret 
key distribution but the use of block code forces an priori 
decision on the coding rate. Moreover, the main disadvantage 
of generation-based detection schemes is that only nodes 
with enough packets from a generation are able to detect 
modifications and thus, result in large end-to-end delays. 

On the contrary to generation-based detection schemes, 
packet-based detection schemes allow intermediate nodes in 
the network detecting modified data on the fly and drop 
modified packets instead of only relying on destinations. 




Fig. 1. Error propagation due to modifying packets by Byzantine nodes in 
a network with RLNC 

which is more suitable for high attack probability compared 
to generation-based detection schemes. Packet-based detection 
schemes require active participation of intermediate nodes with 
ability to compute hash function or generate signature based 
on homomorphic hash functions |7J, [8J. Hash of a coded 
packet can be easily derived from the hashes of previously 
encoded packets; in that way, intermediate nodes can verify 
validity of encoded packets before linearly combining them. 
This characteristic also prevents from error propagating in 
network. Unfortunately, homomorphic hash function is also 
computationally expensive and can't be used in inter-session 
network coding scenario while different sources combine their 
own source information together. 

B. End-to-end Error Correction 

End-to-end error correction schemes include error cor- 
recting code method into the process of encoding packets 
and sinks can correct error and recover original information 
under certain amount of error. Like generation-based detec- 
tion schemes, end-to-end error correction schemes lay all 
encoding and decoding tasks on sources and sinks, such that 
intermediate nodes are not required to changer their mode 
of operation. The transmission mode for end-to-end error 
correction schemes with network coding can be described by 
matrix channel Y = AX + Z, where X is the matrix 
whose rows are the source packets, Y corresponds to the 
matrix whose rows are received packets at sinks, A denotes the 
transfer matrix, which records linear transformation operated 
on packets while they traverse the network, also called global 
encoding vectors, and Z describes the matrix according to 
the injected error packets after propagate over the network. 
With error-correcting code, we can recover X from Y . 0, 
1 10] and 1 11 1 discuss performance of error correction ability 
while some channel information, such as loss rate or error 
probability, is known. 1 12 | proposes a simple coding schemes 
with polynomial complexity for a probabilistic error model of 
random network coding and provides bounds on capacity. ifTSll 



provides a special coding method, which adds a zero vector in 
the transmitted packet at the source node with assumption that 
there is a secret channel between source nodes and sink nodes 
to inform sinks where the zero vector locates in the trans- 
mitted packet. This information can't be seen by intermediate 
nodes and it will be very useful while Byzantine attackers 
maliciously modify the transmitted packet. As a matter of 
fact, under some modification level, the more modification, 
the more likely sinks can recover the original information 
by using information from observing modified zero vectors. 
pTl also gives bounds on capacity for two adversarial mode: 
when Byzantine attackers have limited eavesdropping ability, 
optimal rate would be C-z; when Byzantine attackers can 
eavesdrop all links, optimal rate would be down to C — 2z, 
where C is the network capacity and z is the number of 
links controlled by attackers. With special error-correcting 
code, sinks can be more tolerant with errors, but this scheme 
also introduces large overhead in packets which result in 
tremendous transmission efficiency decreasing. 

Even though end-to-end error correcting schemes can re- 
cover original information at sinks, it can't stop error from 
propagating and introduces large overhead (in worst case, only 
I of a packet carries data); misbehavior detection schemes can 
intercept modified packets on the fly to prevent errors from 
propagating, but it unfortunately takes expensive computation 
complexity. We will propose a new type of network coding 
packet and a distributed algorithm to locate Byzantine attack- 
ers and then isolate those nodes. Our algorithm essentially 
control the error propagation over the network and is not 
computationally expensive. Detailed introduction is in the next 
section. 

III. Network Model and Byzantine Attackers 
A. Network Model with RLNC 

Consider a wireless network of n nodes with commu- 
nication range of r randomly distributed in a square area, 
represented by an undirected graph G = (V^E), with | F |= n 
nodes. Let d{i^j) denotes the distance from node i to node j. 
An edge e^j G E when d{i^j) < r. Besides, these n nodes 
have the ability to access the information of their position. 
Without loss of generality, we assume the lower left corner of 
the square area to be the origin and each nodes know their 
coordinate such as (3,4). 

In the communication pattern in which we are interested, 
each node can perform RLNC to disseminate messages. One 
source S trying to multicast k messages {mi,...,m/e} to 
d destinations {Di^ . . . ^ Dd} transmits those messages as 
vectors of bits which are of equal length u, represented as 
elements in the finite field ¥q, where q = 2^. The length of the 
vectors is equal in all transmissions and all links are assumed 
to be synchronized with a global clock splitting time into slots 
or rounds which are common to all nodes tin the network. 
In each time slot, nodes with messages in buffer send out 
new messages on edges to other nodes simultaneously. Let 
Si{t) = {/i, . . . , f\Si{t)\} be the set of all messages at nodes 
i at time slot t, and by definition, for fi G Si{t)^l < I < 



\Si{t)\Ji e ¥q and fi = YZ=i^i^^u,Oii^ e ¥q. When a 
node i sends out a message , this message is actually a liner 
combination, called local encoding, of the messages stored in 
node i with pay load gi^out ^ where 



9i,out 



^ A/,,AeF,;Pr(A=/3) = -,V/3GF, 



fie it) 



The vector /3 = /3| 5.(^)1 ] is called local encoding 

vector, and the message gi^out can be further written as 
follows. 
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where = XllJi ^ the vector 7 = 

[7i,...,7/c] is called global encoding vector. The global 
encoding vectors are transmitter over the network for decoding 
and we define our transmitted packets as Fig. [2] to assure that 
coefficients 7^ are recoded and nodes know that. 

B. Threat Model and Our Algorithm 

We propose an algorithm. Distributed Hierarchical Adver- 
sary Identification and Quarantine, to fight against packet- 
modifying attack introduced by compromised Byzantine 
nodes. Assume zq out of n nodes has been compromised 
as Byzantine nodes and they will modify every packet they 
send out in order to crash the whole network transmission. 
Specifically speaking, these Byzantine nodes modify the global 
encoding coefficients or payload of newly generated outgoing 
messages, which result in error due to that the modified 
vectors may not belong to the vector space spanned by source 
messages and further propagate the errors by following linear 
combinations of other nodes. We seek an algorithm to locate 
these Byzantine nodes and isolate them, so that they cannot 
affect the network. 

As mentioned above, network coding is susceptible to 
the packet-modifying attacks for errors will propagate by 
operation of linear combinations. However, our algorithm, 
DHAIQ, uses this characteristic to let error propagate within 
a certain range in order to let some chosen nodes, referred as 
watchdogs, detect that there are some Byzantine nodes in the 
monitored area. Before starting our algorithm, we assume that 
node density and is known by every nodes from operating 
other algorithm such as aggregate computation. DHAIQ can 
mainly divided into 5 steps: 

1) When a network is under packet-modifying attacks, an 
arbitrary node in the network will trigger the whole 
algorithm. This node is the watchdog of the 1st level. 
This first watchdog will awake the 2nd level's four 
watchdogs and pass two messages, which are node 
density and the monitoring area size. The node density 



is a criterion of termination scheme and the whole 
deployment area is the 2nd level's monitoring range 
as figure |3(a)| illustrates. The awaken watchdogs are 
chosen by locations. These four watchdogs are situated 
in each corner of their common monitoring area. After 
awaking the 2nd level's watchdogs, the first watchdog 
ends its monitoring mode and turns back to its normal 
mode. 

2) Each of the 2nd level's watchdogs will generate its own 
special packet, referred as probe packet. It then sends 
this probe packet to the other three watchdogs in an 



Jl. 



payload 



3) 



area-restricted flooding way as described in figure 3(b) 
Except for these watchdogs, every node that receives 
these packets will do encoding and then sends new 
packets to all its neighbors. These packets will be lin- 
early combined via intermediate nodes and constrained 
to disseminate within the monitoring range. This is all 
determined at the 2nd level. There are four watchdogs 
and obviously four different probe packets which are 
in the same generation. The packets belonging to the 
same generation will start and terminate transmitting 
simultaneously based on a time stamp. Any node that 
receives the probe packets the first time will record 
this time stamp. Nodes will continue encoding and 
sending out packets until the time stamp is expired. If 
a probe packet reaches a node outside the monitoring 
range, this node will drop that packet. The information 
carried by probe packets only traverse in the monitoring 
range. With the time stamp, all nodes that belong to 
the same monitoring area can terminate transmitting 
simultaneously. Before the termination of monitoring, all 
watchdogs keep retrieving packets from other nodes and 
keep a packet pool in their buffer. An arriving packet is 
called innovative packet only if it is linear independent to 
each packets stored in a watchdog's buffer. The discard 
rule is to keep innovative packets and drop all non- 
innovative packets. In this way, we also can limit buffer 
size to a pretty small value. There will be only four 
packets if there's no adversary node in the monitoring 
area. Watchdogs also keep computing the rank of vector 
space spanned by buffered packets until this generation 
is expired. 

If there is any adversary node in the monitoring areas, 
errors would propagate in the monitoring area and 
some of the watchdogs would receive modified packets 
with high probability. Watchdogs can judge whether 
they receive modified packets by the rank of packet 
pools. For example, one can say that there is at least an 
adversary node located in the monitoring area when a 
watchdog has a packet pool of rank 5. As soon as any 
of watchdogs detects the existence of adversary nodes, 
that watchdog will notify the other watchdogs in the 
same generation and trigger the next level's watchdogs 
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Fig. 2. The practical format of transmitted packets 



will divide their common monitoring rang into four 
sub-areas by their corners discussed previously. Each 
watchdog can then duplicate what the first watchdog 
does in step [T]). Each of them awakes four arbitrary 
nodes in its corresponding sub-area and pass node 
density and next level's monitoring range, which is a 
quarter of a current monitoring range according to the 
location of the upper level's watchdog. The awaken 
four nodes will also approximately locate at each comer 
of the sub-area and there will be a total of sixteen 
watchdogs awaken for four sub-areas of the next level 
(3rd level) as displayed in figure 



3(d) 



together as shown in figure 3(c) These four watchdogs 



4) Repeat step [2]) and step |3]), keep dividing the areas in 
a distributed way until we can locate adversary nodes 
in a small enough area. We define this "small enough 
area" by the number of nodes locating in it. When the 
number is small and under a threshold A, we terminate 
the monitoring of this area. The number of the node in 
an area can be estimated by the information of node 
density and monitoring range which are carried by 
probe packets. Therefore this "small enough area" will 
be the least monitoring area we can divide. In the least 
monitoring area, it is very possible that an adversary 
node is chosen as a watchdog. In this case, adversary 
nodes may realize this is the time to temporarily act 
normal and stop modifying the contents of packets. The 
detection will fail due to adversary nodes' temporary 
good behaviors. Any detection in progress will be 
terminated if its monitoring range is under the threshold 
and all the nodes in this area will be marked as suspect 
nodes. 

5) After some random time intervals, another arbitrary 
node will trigger the algorithm again and this time its 
monitoring range will be shifted by a short distance. 
In the very end of the algorithm, we will mark some 



small squares which contain adversary nodes. If we shift 
the monitoring range a little in the beginning of the 
algorithm, the squares we choose will not be identi- 
cally overlapped but partially overlapped. This partially 
overlapped area may contain adversary nodes with high 
probability and the other non-overlapped areas, which 
may contain normal nodes but remarked as suspect, 
would be less suspicious. In this way, we can eliminate 
the number of nodes who are marked as suspects but 
in fact are normal nodes, referred as innocent nodes. To 
get the final result, each node in the network maintains a 
suspect table. Whenever a node is reported as a suspect, 
its suspect level in the other nodes' tables increases by 
1. The nodes with high suspect level will be regarded 
as adversary nodes and isolated. Our simulation results 
show this shift scheme can greatly reduce the amount 
of mistaken nodes. 




(a) The first watchdog awakes (b) Watchdogs of next level start 
watchdogs of next level. sending out probe packets. 




(c) One watchdog detects errors (d) Each watchdog further 
and notifies the others. awakes more watchdogs of next 

level. 



Fig. 3. Hierarchical division of the monitoring areas. 

IV. Analysis and Simulation Result 

A. Probe packets and time stamp 

In most scenarios of RLNC application, the destinations do 
the decoding as long as they receive full rank of packets. 
In our algorithm, we modify this scheme that destinations 
don't decode to fit our requirements. Considering the worst 
case, to detect an adversary node is that all watchdogs gather 
around the center of the monitoring area and the adversary 
node is located at the very edge. Based on the flooding 
method, the least time slot required for watchdogs to receive 
modified packets is the hop number of the shortest path 
from the adversary nodes to the watchdogs, which is half 
diagonal of the monitoring area. Since the source of modified 
packets also come from watchdogs, the average number of 
hop for a modified packet to arrive the watchdogs is ^/2k. 
Note that k is the node number of current monitoring area. 



which is accessible information for watchdogs. We can set 
time stamps of each generation with this number ^/2k to 
assure that watchdogs can receive modified packets and trigger 
the next level whenever there are Byzantine nodes. When a 
time stamp is expired, its corresponding nodes will terminate 
disseminating packets and empty their buffer. 

B. Range of shifting 

Simply repeating the algorithm won't perform better since 
the sub-areas are equally divided. If the algorithm starts with 
the same monitoring area, it will eventually lead to the same 
result and be in vain. Thus we shift the starting monitoring 
area in order to minimize the number of innocent nodes. Now 
the question is how many we should shift each time. It is 
straightforward to see that if we shift more than a single least 
monitoring area, this shift is useless. Hence we know the shift 
range should be no larger than the length of edge of the least 
monitoring area. 

The purpose that we use shift scheme is to further divide 
the least monitoring area into smaller areas so that we can 
eliminate the number of innocent nodes. To this end, we shift 
in both horizontal and vertical directions to let overlapped 
areas divide the least monitoring area mio four smaller areas. 
Hence the question has become how to divide these four 
smaller areas in order to get the least innocent nodes. Basically 
we have two options here, equal division and non-equal 
division. In fact, the equal division method will have the least 
expected value of innocent nodes. The mathematical analysis 
is in section V, and the simulation results also support our 
idea. 

C. Innocent nodes and overhead 

When we mark the nodes in the least monitoring area 
as suspect nodes, we mark all the nodes in the area. In 
fact, some nodes are normal nodes but marked as suspect, 
and we call them innocent nodes. Consider the case which 
we only perform identification algorithm once without using 
suspect table. It is straightforward that uniform distribution of 
Byzantine nodes can lead to the worst result with the most 
innocent nodes. The ratio of innocent nodes is upper bounded 

by — — and this bound grows linearly with respect to 

n 

the number of Byzantine nodes and /i, which is quite a large 
number. Besides, probe packets carry no data information and 
the amount of probe packets transmitted of all generations in 
each level is 0{n^/n). In one identification algorithm, it will 
trigger O(logn) levels totally and therefore total number of 
transmitted probe packets is 0{n^/n\ogn) in time 0{^/n). 

D. Simulation Results 

In our simulation, we uniformly distribute 400, 600 ,800 
and 1000 nodes in a square area with width of 800 and node 
communication range is 50. We simulate our algorithm under 
the circumstance of the amount of adversary nodes varying 
from 5 to 45 and these adversaries are uniformly and normally 
distributed. Fig. [4] is the first result of our algorithm, we can 
see that the innocent ratio of uniform distribution pattern is 
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Fig. 4. Innocent ratio and Byzantine catch ratio for two different distribution 
pattern of adversaries 



Fig. 6. Results for more nodes 
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Fig. 5. Innocent ratio and Byzantine catch ratio with shift scheme 



quite high. The uniform distribution pattern is the worst case 
to our algorithm. In order to decrease the amount of innocent 
nodes, we introduce shift scheme. The result are shown in Fig. 
[5] The result with more nodes is in Fig. [6] As we can see, 
our algorithm performs better in a dense topology. Performing 
shift scheme in our algorithm can eliminate innocent ratio 
effectively, but it also drags down the catch ratio a little bit. 
Because shift scheme also generates holes around boundaries, 
which can not be detected sometimes. The result shows that 
the catch ratio only drops a little, which is an acceptable value. 

V. Analysis 



of innocent nodes. With it, the final results of marked areas in 
each run of algorithm will be different. The overlapped marked 
areas are smaller than the least monitoring areas and contain 
less innocent nodes. Considering the case that overlapped areas 
divide a least monitoring area A into four smaller areas, Ai, 
A2, As and A4. The expectation number of innocent nodes 
will reach a minimum value while Ai = A2 = As = A4. We 
now prove our claim. 

Claim The expectation value of number of innocent nodes 
will reach a minimum when the least monitoring area A is 
divided into four equal areas. 

Proof: Assume that the area A is of size 1 and divided 
into four areas, Ai, A2, As and A4, with the area size of ai, 
a2, as and a^. We have ai + a2 + as + a4 = 1 and ai, a2, 
as, a^ > 0. The least monitoring area A has /i nodes totally 
and k of the /i nodes are adversary nodes. Clearly k < jj. 
The expectation number of innocent nodes is 

E{k) =[1 - (1 - ai)^]ai/i + [1 - (1 - a2)^]a2/i+ 

[1 - (1 - as)%s^ + [1 - (1 - a4)^]a4/i 
=(ai + a2 + as + a/^)ii— 

[ai(l - aif + a2(l - a2)^ + as(l - as)^ + a4(l - a^f]!! 
=11 - [ai(l - ai)^ + a2(l - a2)^ + as(l - as)^ + a4(l - a^)^]ii. 

We want to have E{k) > some constant c, so the problem 
becomes 

maximize xi(l - xi)^ + X2(l - xs)^ + X3(l - xs)^ + X4(l - X4)^ 
subject to xi + X2 + X3 + X4 = 1. 



The shift scheme aims to further divide the least monitoring 
areas into smaller areas so that we can decrease the number 



We denote /(x) = xi(l — xi)^ +^2(1 — ^2)^ +xs(l — xs)^ + 
X4{l—X4)^ and /i(x) = X1+X2+XS+X4 — I. By the Lagrange 



condition, we have 
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Obviously, the solution to theses equations is 

^1=^2=^3 = ^4 = ^ and A= - ^)(^)^-^ 

Thus x* = [i,i,i,i]^. 

Now we need to resort to the second-order sufficient con- 
ditions to determine if the problem reaches a maximum or 

1 

minimum at xi = ^2 = X3 = X4 = -. Let /(x, A) = 

/(x) + X^h{x.) and L(x, A) be the Hessian matrix of /(x, A). 
We can find the matrix 

L(x*,A) = F(x*) + AH(x*) 

~g{k) " 

g(A:) 

~ g(A:) ' 

g(A:)_ 

3 k — 7 

where g(A:) = (-)^~^( — - — ). On the tangent space M = 
{y I 2/1 + 2/2 + 2/3 + 2/4 = 0|, we note that 

y^Ly =y^^i^-)'^-^i^)+yli^-)''-\^)+ 

yl(lrH^) + ylilr\'^)< 0, 

for < 7 and all y j^O. 

Thus L is negative definite on M when k < 7 and / 
reaches a maximum. In our algorithm, we set our /i = 5, 
and k < ji obviously. Therefore, we can always reach a 
minimum expectation value in our setup and it happens at 

ai = a2 = as = a4 = -. 
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VI. Conclusions and further work 

We have proposed a locating algorithm in appliance of 
RLNC to locate compromised Byzantine nodes in a network. 
Our algorithm can locate the areas in where adversary nodes 
locate with some normal nodes being mistaken as adversary 
nodes. To reduce the number of mistaken nodes, we use a shift 
scheme to eliminate the probability of being mistaken. The 
simulation results show that our algorithm performs well in 
Guassian distribution pattern for adversary nodes. In the worst 
case, uniform distribution pattern for adversary nodes, we 
still can locate most adversary nodes and reduce almost 10% 
of mistaken ratio by shift scheme. We also gives discussion 
about the best policy for shift scheme. Fixing the shift range 



to the half length of the least monitoring area has the best 
performance. 

Even though we do locate the areas where adversary nodes 
lie, but there still exist mistaken nodes. A second stage algo- 
rithm is required in order to precisely identify each adversary 
node. Sampling each node one by one in the most suspicious 
area or combining some special coding scheme with our 
algorithm may be a worthy researching direction. 
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